Main Body

Chapter 13: Internet of Things (IoT) – Opportunities and challenges

Obtaining evidence from the multitude of digital items that make up the Internet of Things (IoT) environment is not as simple as seizing a laptop or mobile phone. Devices are created for functionality and are not necessarily conducive to a digital forensics process. Also, identifying the numerous IoT devices that may be located within a scene may be a difficult task as IoT devices may be worn on a person or implanted under their skin. An IoT device may be identified as a larger physical item such as a home assistant, set-top box, a sensor, or an actuator with electronics to manage connectivity requirements.[1]

Digital evidence in an IoT environment can originate from multiple sources.

These being:

  1. The companion device such as a laptop or smartphone used to set up and/or control the IoT device.[2],[3] This may even extend to the local web interface such as a touchscreen device.[4]
  2. Cloud computing service the IoT device is attached to. [5]
  3. Network analysis including identification of usage statistics, software and system logs uploaded to the cloud computing service.
  4. IoT device analysis where some devices contain small quantities of usage data.[6],[7]

As a technical guide, there are several standards that an investigator may wish to review in association with their digital forensic technician.

These are:

  • ISO/IEC27042:2015 Information Technology- Security techniques — Guidelines for the analysis and interpretation of digital evidence.[8]
  • ISO/IEC27050:2016 Information Technology — Security techniques — Electronic discovery. Part 1: Overview and concepts.[9]
  • ISO/IEC29100:2011 Information Technology — Security techniques — Privacy framework.[10]

IoT devices are data-hungry and continually collect and assess data. The data is collected from sensors which will vary on the type of device, its purpose, and the manufacturer’s specifications. [11]

Examples of sensors are:[12]

  • Accelerometers (Movement or location).
  • Activity sensors (Detection/Presence).
  • Cameras (Detection/Presence).
  • Chemical sensor (Measures/Event date or duration).
  • Electric sensors (Consumption/Event date or duration).
  • GPS sensors (Movement or location).
  • Gyroscope (Movement or location).
  • Humidity sensor (Measures/Event date or duration).
  • Microphones (Detection/Presence).
  • Rotation sensors (Movement or location).
  • Temperature sensor (Measures/Event date or duration).
  • Water sensors (Consumption/Event date or duration).

Offenders may have limited knowledge of the technical environment in which they are operating and the digital evidence they are leaving at a crime scene. This may be of significant help to the investigator once they identify where the digital evidence is located, which of the many IoT devices it came from, and the format in which the data is stored.[13]

Whilst there is potentially a lot of evidence being generated by IoT devices, obtaining the evidence in a forensically sound manner is, however, not as simple as with other more established devices such as computers and mobile phones. The following section seeks to identify and discuss these challenges.

Challenges to IoT evidence

The forensic challenges IoT devices and the environment create have been the subject of considerable research. This chapter seeks to present the challenges identified so the investigator understands the unique environment in which they are working.

Whilst IoT devices have the potential to be of major assistance to the investigator, devices can come with a series of unique problems that will need to be addressed.

Attack or deficit attribution

Evidence may be located within a scene, but the task of identifying which person within the scene is responsible for the activity being identified may not be simple. As is the case of important evidence on a computer being identified, it is required to identify the specific person who generated that evidence, particularly in the instance of a computer where there are multiple users using the same username and password.

An example may be the IoT evidence identifying five people within a scene at a specific point in time but may not be able to uniquely identify the individual who committed the act under investigation.

IoT logs

Logs tell the story of what the device has recorded. They may be seen as crucial to understanding events involving the particular devices and what they have recorded happening in their environment.

Logs are rarely stored within the device itself[14],[15] but there may be instances when this occurs. This will be dependent on the manufacturer’s specifications. It is more common that logs are stored on the devices’ cloud services which is a separate environment to locate and seize evidence.

Gaining access to the logs in the cloud environment may be able to be enacted through the companion device such as a laptop or smartphone that can be set up to interact with the cloud logs. [16] Of major consideration in this instance, is having the legal authority to obtain evidence from cloud computer services which may be located in a foreign legal jurisdiction. [17]

IoT devices generate a lot of data with limited storage being available, meaning that evidence may be overwritten very quickly. IoT devices passively record the activity and have limited data storage capacity, as well as constantly recording new activity, means previous data is overwritten and lost. As investigators enter a scene where IoT evidence is present, limiting interaction with the environment until the IoT evidence can be located and seized may be of value depending on the immediacy of other circumstances faced by crime scene investigators.

Chain of evidence

Evidence obtained from IoT devices and associated data obtained from sources such as cloud computing services is required to be seized, preserved, viewed, and stored in a manner in which the courts can have confidence in its integrity. Rules of evidence have been established by courts over the generations, and it is the investigator’s duty to understand and apply these laws for all forms of evidence. Evidence obtained from IoT devices has to be justified to the courts as is any other form of evidence, digital or otherwise.[18]

The chain of evidence refers to the accounting of evidence from the time it is located until it is produced in a court of law. Every person who has possession and/or interaction with the evidence must account for it in a statement and be prepared to give evidence in a court of law as to the manner of their possession or interaction with the evidence and its secure handling. In effect, the court wants to know if the evidence being produced is the same as that seized and if its integrity can be assessed.[19]

IoT devices generate evidence that is highly volatile in nature. As we have mentioned, devices have only a small amount of in-device storage which means the evidence you seek may be overwritten quickly, perhaps by the investigation team within the scene, and their activities being recorded by the IoT device. This means the order of seizure of digital evidence needs to account for the volatility of IoT evidence and be seized early in the digital evidence seizure process.

Cloud computing evidence

A photo of a computer server by Massimo Botturi on Unsplash.
Photo of a computer server. Image by Massimo Botturi on Unsplash.

Devices may store logs and any associated data in the manufacturers’ cloud services where the client has an account. As with any cloud service, particular care needs to be placed on obtaining this evidence, potentially from a foreign legal jurisdiction, in a legal and timely manner.[20]

When evidence is seized from a cloud computing service, whether it relates to IoT evidence or otherwise, accounting for the chain of evidence will be a major feature of planning for this phase of the investigation. A qualified forensic examiner will be of value as well as digitally recording all steps of the evidence identification and capture if legal authority is obtained for connecting to the cloud service and seizing the evidence.[21]

Cloud computing services operate within a multi-tenancy environment, meaning numerous clients share the same resources. Conducting an image within this environment may raise ethical considerations.[22],[23] A potential problem could be ensuring only the subject’s data is captured and not that of other clients in the multi-tenancy cloud environment. [24],[25]

The legality of obtaining evidence from a separate organisation’s cloud server must be addressed prior to the examination as well as understanding the multi-jurisdictional legality of your actions.[26],[27]The remote capture of cloud-based evidence may be legal in your jurisdiction, but this does not mean it is legal for you to seize the data in the jurisdiction where it is resident. Further, you may not know where your cloud evidence is resident as many cloud services often operate in a multiple jurisdiction environment.[28],[29] 

Cloud computing is particularly relevant to the IoT environment as device logs are often stored in the manufacturer’s cloud storage[30] and home assistants process user requests in a cloud service. In most instances the cloud will be where the IoT-related evidence resides.

Digital forensics evidence

How any form of digital evidence is captured may be questioned in court, and it is the role of the investigator to ensure it has been captured in a manner according to the established rules of evidence in their jurisdiction.[31]

A series of challenges the digital forensic investigator may face include:[32],[33],[34],[35],[36],[37],[38],[39],[40]

  • Data may be stored across multiple locations such as the companion device, hub, or cloud. This is device-dependent, and manufacturers may change specifications across different models.
  • Devices are unique to each manufacturer, and there may be no documented methodology or forensic tools to be able to obtain digital evidence from an IoT device in a forensically sound manner.
  • Devices often do not hold any form of digital evidence. Therefore, investigations may need to be conducted within the cloud computing environment.
  • Digital forensic tools designed and tested to operate within an IoT environment may not be readily available. Established digital forensic tools may not have been tested against specific IoT devices for accuracy of data identification and collection.
  • The distributed nature of IoT devices within a scene creates the challenge of identifying which device to examine in the order of volatility.
  • Encryption is a problem for the examiner in any environment, and IoT devices may transmit and store data including log files in an encrypted format.
  • Universally accepted forensically sound data capture methodologies have not been established.
  • Lack of forensic preparedness of IoT devices.
  • Lack of standardized hardware architecture means accessing the data within a device where it exists may be difficult. Smart devices often do not follow a common set of standards.
  • Lack of standardisation of times across devices and not all are Network Time Protocol time synchronised. This means devices within the IoT environment or companion devices may be set to a separate time zone.
  • Lack of standardisation of Wi-Fi protocols. There are multiple Wi-Fi protocols, and the choice made depends upon the user.
  • Multiple Operating Systems depending upon the device manufacturer.
  • Proprietary Operating System, files and communication protocols and encryption hinder forensic analysis. The OS may be unknown to the forensic examiner.
  • Securing a crime scene with IoT devices is a forensic challenge as the devices continue to collect the activity of the investigators. Identifying all the IoT devices in a scene may take some time, during which the devices continue to passively collect data as per the instructions of their sensors. The recording of this extra activity means the digital evidence is not as it was when the suspect left the scene, and an effort must be made to identify and explain all logs generated by investigator activity in distinction to that of the suspect(s).
  • Size of data collected of forensic interest.  Data log files may be small or extensive, depending on the established criteria of the IoT manufacturer.
  • The variety of IoT devices able to be recognised and forensically understood.
  • Vendors design products for functionality and standards change between device manufacturers. This includes device Operating Systems and protocols.

Evidence analysis and correlation

Some IoT devices’ memory store data that may be useful as evidence.[41] This is discussed further in Chapter 11 “The Smart Home”.

The smartphone connected to the IoT network may contain evidence such as cached image thumbnails, cached events triggered by the IoT sensors and complete event logs in the application database as well as credentials to gain access to the cloud service.[42] The device itself may contain some digital data of benefit to the investigator, however, due to the design of the device, it may be in a volatile state or stored in a connected cloud service.[43]

IoT devices may store data within the device, however many do not, preferring to use cloud services connected to the device. The IoT service provider often stores device data, meaning a client may not have direct access to the data their device generates.[44] This results in the investigator being unable to access the device evidence through the companion device such as the user’s laptop or smartphone and having to make inquiries with the device manufacturer.

An investigator relying upon IoT evidence may benefit from identifying whether there are any signs of the device being compromised by malicious software, computer viruses, or from being hacked or used for criminal activities.[45] This is no different from traditional computer and mobile device examinations.  If the device has been compromised in some manner the accuracy of the data assimilated into the investigation may be affected.

An investigator will need to understand whether the activity recorded is due to human behaviour, accidental behaviour, or technical issues.[46]

As a part of the scene process, it is important to map the IoT environment to identify, where possible, how devices connect and operate within the home network. This may be by Bluetooth or Wi-Fi. Alternatively, IoT devices may only have an external connection via a user’s smartphone app. If you are relying on an IoT device as evidence in an investigation, it would be highly beneficial to understand how the device collects data and is connected to the location’s network.

A map of where the IoT devices are located would be beneficial as it shows where specific activity took place.

Unstructured nature of the data

As previously mentioned, many IoT devices produce large volumes of data which may be able to help the investigator.[47]

For the investigator, it is better to have too much data than too little. The problem is that much of the data from the multitude of IoT devices is unstructured, or not explicit, such as codes in a database.[48],[49]

Devices vary according to the manufacturer’s design. There is no industry-accepted design standard for IoT devices, and there are multiple versions of Operating Systems availabale to control the operation of the IoT device. They may also use different Wi-Fi protocols which present a further level of planning for the digital forensic investigator.[50]

Manufacturers preserve and present their log data in different formats. There is no one-format-fits-all format for log recording. To read and present this evidence in court may require reformatting of logs in a manner consistent with other digital evidence where it is human readable, and sense can be made of it. When this is the case, the evidence and processes used to reformat the data may be subject to review by the courts to ensure the evidence can be relied upon. This may be particularly crucial when a timeline of events is being built, and the reformatted data from an IoT device is a key part of the reconstruction of events within the scene.

Key Takeaways

Knowledge of IoT is essential

IoT devices may present volumes of data that record all the activity at a crime scene, however identifying and seizing it in a forensically secure manner as demanded by the courts presents new challenges for the digital evidence examiner.

Understanding the unique nature of IoT devices and how they operate is becoming an essential skill for investigators as IoT devices can answer many of the key questions investigators want to know.

Examples of key questions an investigator working at a crime scene would ask:

  • Who was involved?
  • When did the activity take place?
  • What happened afterwards?

The answers to these questions are data captured by a multitude of IoT devices currently appearing in smart homes and businesses and sitting in digital storage locations waiting for the astute investigator to identify, locate and seize the IoT as evidence.

These devices will not provide the answers in all instances, just as no investigation strategy will work every time. However, as the IoT devices mentioned throughout this book evolve and become even further embeded into people’s lives, the answers the detective seeks may be close by.

 


  1. Hegarty, R., Lamb, D., & Attwood, A. (2014). Digital Evidence Challenges in the Internet of Things. 163–172.
  2. Dorai, Houshmand & Baggil (2018). I know what you did last summer: Your smart home Internet of Things and your iPhone forensically ratting you out. In ARES 2018 - 13th International Conference on Availability, Reliability and Security Article 3232814 (ACM International Conference Proceeding Series). Association for Computing Machinery. https://doi.org/10.1145/3230833.3232814
  3. Awasthi, A., Read, H. O. L., Xynos, K., & Sutherland, I. (2018). Welcome pwn: Almond smart home hub forensics. Digital Investigation, 26, S38–S46. https://doi.org/10.1016/j.diin.2018.04.014
  4. Ibid.
  5. Dorai, Houshmand & Baggil (2018). I know what you did last summer: Your smart home Internet of Things and your iPhone forensically ratting you out.  In ARES 2018 - 13th International Conference on Availability, Reliability and Security Article 3232814 (ACM International Conference Proceeding Series). Association for Computing Machinery. https://doi.org/10.1145/3230833.3232814
  6. Ibid.
  7. Awasthi, A., Read, H. O. L., Xynos, K., & Sutherland, I. (2018). Welcome pwn: Almond smart home hub forensics. Digital Investigation, 26, S38–S46. https://doi.org/10.1016/j.diin.2018.04.014
  8. ISO/IEC 27042:2015 Information technology — Security techniques — Guidelines for the analysis and interpretation of digital evidence https://www.iso.org/standard/44406.html
  9. ISO/IEC 27050-1:2016 Information technology — Security techniques — Electronic discovery. Part 1: Overview and concepts https://www.iso.org/standard/63081.html
  10. ISO/IEC 29100:2011 Information technology — Security techniques — Privacy framework https://www.iso.org/standard/45123.html
  11. Bouchard, F., Grimaud, G. & Vantroys, T. (2018). IoT forensic: Identification and classification of evidence in criminal investigations.
  12. Ibid.
  13. Hegarty, R., Lamb, D., & Attwood, A. (2014). Digital Evidence Challenges in the Internet of Things. 163–172
  14. Conti, M., Di Natale, G., Heuser, A., Poppelmann, T., Mentens, N. (May, 2017 ) Do we need a holistic approach for the design of secure IoT systems? CF'17: Proceedings of the Computing Frontiers Conference. Pages 425–430. https://doi.org/10.1145/3075564.3079070
  15. Servida, F. & Casey, E. (2019) IoT forensic challenges and opportunities for digital traces doi.org/10.1016/j.diin.2019.01.012. Digital Investigation 28 (2019) S22-29.
  16. Ibid.
  17. Edwards, G. (2019) Cybercrime Investigators Handbook, Wiley New Jersey USA.
  18. Ibid.
  19. Ibid.
  20. Ibid.
  21. Ibid.
  22. Hegarty, R., Lamb, D., & Attwood, A. (2014). Digital Evidence Challenges in the Internet of Things. 163–172.
  23. Edwards, G. (2019) Cybercrime Investigators Handbook, Wiley New Jersey USA.
  24. Servida, F. & Casey, E. (2019) IoT forensic challenges and opportunities for digital traces doi.org/10.1016/j.diin.2019.01.012. Digital Investigation 28 (2019) S22-29.
  25. Edwards, G. (2019) Cybercrime Investigators Handbook, Wiley New Jersey USA.
  26. Conti, M., Dehghantanha, A., Franke, K., Watson, S., Internet of Things security and forensics: Challenges and opportunities (2018) arXiv: 1807.10438 https://doi.org/10.48550/arXiv.1807.10438 
  27. Edwards, G. (2019) Cybercrime Investigators Handbook, Wiley New Jersey USA.
  28. Alenezi, A., Atlam, H. F., Reem, A., Alassafi, M., Wills, G. (2019). IoT Forensics: A State-of-the-Art Review, Challenges and Future Directions. International Conference on Complex Information Systems. https://www.semanticscholar.org/paper/IoT-Forensics%3A-A-State-of-the-Art-Review%2C-and-Alenezi-Atlam/397a4a107cf1486e5397bde849afc24b466affc8
  29. Edwards, G. (2019) Cybercrime Investigators Handbook, Wiley New Jersey USA.
  30. Alenezi, A., Atlam, H. F.,Reem, A., Alassafi, M., Wills, G. (2019).  IoT Forensics: A State-of-the-Art Review, Challenges and Future Directions. International Conference on Complex Information Systems. https://www.semanticscholar.org/paper/IoT-Forensics%3A-A-State-of-the-Art-Review%2C-and-Alenezi-Atlam/397a4a107cf1486e5397bde849afc24b466affc8  
  31. Edwards, G. (2019) Cybercrime Investigators Handbook, Wiley New Jersey USA.
  32. Conti, M., Di Natale, G., Heuser, A., Poppelmann, T., Mentens, N. (May, 2017 ) Do we need a holistic approach for the design of secure IoT systems? CF'17: Proceedings of the Computing Frontiers Conference. Pages 425–430. https://doi.org/10.1145/3075564.3079070 
  33. Servida, F. & Casey, E. (2019) IoT forensic challenges and opportunities for digital traces doi.org/10.1016/j.diin.2019.01.012. Digital Investigation 28 (2019) S22-29.
  34. Conti, M., Dehghantanha, A., Franke, K., Watson, S., Internet of Things security and forensics: Challenges and opportunities (2018) arXiv: 1807.10438 https://doi.org/10.48550/arXiv.1807.10438
  35. Alenezi, A., Atlam, H. F.,Reem, A., Alassafi, M., Wills, G. (2019).  IoT Forensics: A State-of-the-Art Review, Challenges and Future Directions. International Conference on Complex Information Systems. https://www.semanticscholar.org/paper/IoT-Forensics%3A-A-State-of-the-Art-Review%2C-and-Alenezi-Atlam/397a4a107cf1486e5397bde849afc24b466affc8
  36. MacDermott, A., Baker, T. & Shi, Q. (2018) IoT forensics: Challenges for the IoA Era. International Conference on New Technologies, Mobility and Security. In Semantic Scholar. https://www.semanticscholar.org/paper/Iot-Forensics%3A-Challenges-for-the-Ioa-Era-MacDermott-Baker/590b9d91ff28b5eaf0159ee5941e2f083fa76fb4#paper-topics
  37. Huda, N., Zulkipli, N., Alenezi, A. & Wills, G.B. (2017). IoT forensic: Bridging the challenges in digital forensics and the Internet of Things. Proceedings of the 2nd International Conference on the Internet of Things.
  38. Babun, Sikder, Acar & Uluagac. (201 8) IoTDots: A Digital Forensics Framework for Smart Environments. arXiv. 1809.00745 https://doi.org/10.48550/arXiv.1809.00745 
  39. Quick, D., Choo, K-K. IoT (n.d.) Device Forensics and Data Reduction. https://www.semanticscholar.org/paper/IoT-Device-Forensics-and-Data-Reduction-Quick-Choo/b5b5d69ebd4aade19d555aa899a7de5ff66f698c
  40. Edwards, G. (2019) Cybercrime Investigators Handbook, Wiley New Jersey USA.
  41. Servida, F. & Casey, E. (2019) IoT forensic challenges and opportunities for digital traces doi.org/10.1016/j.diin.2019.01.012. Digital Investigation 28 (2019) S22-29.
  42. Servida, F. & Casey, E. (2019) IoT forensic challenges and opportunities for digital traces doi.org/10.1016/j.diin.2019.01.012. Digital Investigation 28 (2019) S22-29.
  43. Hegarty, R., Lamb, D., & Attwood, A. (2014). Digital Evidence Challenges in the Internet of Things. 163–172.
  44. Hegarty, R., Lamb, D., & Attwood, A. (2014). Digital Evidence Challenges in the Internet of Things. 163–172.
  45. Quick, D., Choo, K-K. IoT (n.d.) Device Forensics and Data Reduction. https://www.semanticscholar.org/paper/IoT-Device-Forensics-and-Data-Reduction-Quick-Choo/b5b5d69ebd4aade19d555aa899a7de5ff66f698c
  46. Oriwoh, E., Jazani, D., Epiphaniou, G. Sant, P. (2013) Internet of Things Forensics: Challenges and Approaches. 9TH IEEE International Conference on Collaborative Computing. Semantic Scholar. DOI:10.4108/ICST.COLLABORATECOM.2013.254159.
  47. Yaqoob, Abaker, Hashem, Ahmed, Kazmi & Hong (2018). Internet of Things forensics. Recent advances, taxonomy, requirements and open challenges. Future Generation Computer Systems.
  48. Servida, F. & Casey, E. (2019) IoT forensic challenges and opportunities for digital traces doi.org/10.1016/j.diin.2019.01.012. Digital Investigation 28 (2019) S22-29
  49. Yaqoob, Abaker, Hashem, Ahmed, Kazmi & Hong (2018). Internet of Things forensics. Recent advances, taxonomy, requirements and open challenges. Future Generation Computer Systems September 2018.
  50. Awasthi, A., Read, H. O. L., Xynos, K., & Sutherland, I. (2018). Welcome pwn: Almond smart home hub forensics. Digital Investigation, 26, S38–S46. https://doi.org/10.1016/j.diin.2018.04.014
definition

Licence

Icon for the Creative Commons Attribution-NonCommercial 4.0 International License

Digital Evidence Manual Copyright © 2024 by Graeme Edwards is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License, except where otherwise noted.

Share This Book